It’s a common misconception that small businesses do not get attacked by cybercriminals as often, but unfortunately, bad actors do not discriminate. According to Veeam’s 2023 Data Protection Trends Report, 85% of ransomware attacks targeted small businesses.
The consequences of small business ransomware attacks are severe, and most small businesses can’t operate during a ransomware attack. Many also don’t have an incident response plan, and of those that did, nearly a third hadn’t tested their plans in six months. A high percentage of small businesses also report having to pay the ransom to regain access to their data.
The high cost of recovering data along with business interruption costs means that up to 60% of small businesses fail after a successful cyberattack.
While these small business ransomware statistics are worrying, those who take cyber resiliency seriously are better prepared to resist cyberattacks. In this article, we’ll provide practical tips on how to assess your vulnerabilities, what to do to protect yourself against ransomware, and how to recover from an attack without paying a ransom.
Key steps include implementing a ransomware response plan and ensuring your company has an affordable backup plan. A further layer of protection is ensuring you have immutable (i.e., unchangeable) backups stored offline that you can use for self-recovery.
Understanding Ransomware for Small Businesses
Cybercriminals understand that small businesses have limited financial and IT resources. They rely on this knowledge to extort small- to medium-sized businesses (SMBs) since they believe SMBs don’t have many options for recovering their data.
Ransomware for Small Businesses
Ransomware is malware that cybercriminals use to lock users’ computers so they can’t gain admission to files and company systems. Hackers often encrypt files so users can’t access them without a decryption key. They also frequently threaten to release private and sensitive company information to the public to pressure victims into paying a ransom.
Unfortunately, paying a ransom doesn’t necessarily mean the end of an attack. In fact, Veeam’s 2023 Ransomware Trends Report noted that while 80% of ransomware victims paid the ransom, 25% still couldn’t recover their data.
Common Tactics Used by Cybercriminals
Cybercriminals use a variety of tactics to infect victims’ computers with malware. The most common forms of ransomware attacks against small businesses are:
- Phishing: Scam emails and text messages that trick users into supplying passwords and login credentials.
- Malicious email attachments: Emails with attachments that contain malware.
- Drive-by attacks: Malware downloaded from an infected website.
- Software vulnerabilities: Using unpatched vulnerabilities on servers to gain access to computer systems.
How Do Ransomware Attacks Affect Small Businesses?
Successful ransomware attacks on small businesses have devastating consequences. Small businesses have limited resources in terms of people and money, so they often can’t afford to be out of business for any period of time. Other challenges include reputational damage and the possibility of legal and regulatory action.
Financial Implications
Aside from the direct cost that comes with paying a ransom, small businesses also face substantial recovery costs. This can include include loss of income, the cost of hiring cybersecurity specialists to identify and remove ransomware, and expenditure to strengthen security. Plus, at the end of the day, there’s still no guarantee the business will be able to recover the data encrypted by cybercriminals. Statistics from the 2023 Ransomware Trends report indicate that, on average, 15% of production data affected by a ransomware attack is lost.
Reputational Damage
Customers and suppliers quickly lose confidence following a ransomware attack, especially if hackers leak confidential company data. After an attack, there’s always suspicion, often rightly so, that the company was somehow negligent because it didn’t have secure data protection systems in place. A direct consequence of this loss of confidence is that the SMB’s customers start to feel vulnerable and take their business elsewhere.
Legal and Regulatory Consequences
Depending on the jurisdiction and the extent of the breach, companies may face multiple penalties from regulatory authorities, including:
- Fines for non-compliance or for failing to adequately protect data.
- Legal action in the form of individual or class action lawsuits.
- Regulatory investigations into the cause and extent of a breach.
- Remediation costs as part of taking corrective action for data vulnerabilities.
Companies are also often required to report data breaches to regulatory authorities and notify potentially affected parties. This only serves to compound the the negative impact to a brand’s reputation when a data breach occurs.
Small Business Vulnerabilities
Small businesses account for between 40% and 50% of the GDP. In the U.S., over 99.9% of companies are SMBs. Having an entrepreneurial approach, most SMBs are privately owned and funded and have small management teams. This makes them more vulnerable to cyberattacks for several reasons, including:
- Limited IT expertise: Many SMBs rely on vendors to develop their IT systems and relatively few have dedicated IT teams. Of those who do, they still often have limited cybersecurity knowledge.
- Budget constraints: Small companies have limited resources and don’t have the money to spend on complex cybersecurity measures.
- Security gaps: SMB IT management ofteny doesn’t have the expertise to implement concepts such as Zero Trust, multi-factor authentication (MFA), and disaster recovery (DR) planning.
- Backups: Many small businesses don’t adhere to or know about the 3-2-1 backup rule, especially the requirements to encrypt backups and keep some copies offline or on separate systems.
How to Protect Your Small Business From Ransomware
Ransomware protection for small businesses is a multifaceted process with three distinct layers. The first layer is to prevent an attack by strengthening your network against intrusion, the second is to implement a backup and recovery process, and the third is implementing incident response plan. Key steps include:
- Employee awareness training: Train employees to recognize and defeat potential cyberthreats and explain that hackers use various techniques to trick employees into providing login and security credentials. The most common trick is phishing, but other techniques include tricking employees into clicking on malicious pop-ups and downloading infected software.
- Cybersecurity measures: Develop a coherent cybersecurity strategy for your business. Cybersecurity best practices include strong authentication and access controls, network security, data encryption, and endpoint protection.
- Backup and recovery plan: Have an effective backup and recovery plan, back up regularly, and keep multiple backups. Scan backups for malware and verify them by simulating the backup recovery process with an offline or virtual machine (VMs), and always encrypt your backups.
- Incident response plan: Prepare a comprehensive ransomware response plan that specifies the steps to take in the event of an incident. Test and review your plan by simulating cybersecurity incidents, and make certain each team member knows their role in containing, eradicating, and restoring services.
Collaborative Ransomware Solutions
With the complexity of today’s modern infrastructure, it’s challenging for an SMB with a small IT department to keep track of all possible cybersecurity threats. However, you can largely overcome these limitations by networking with IT specialists and management from other companies, industry associations, and security providers.
Encourage your IT team to reach out to other IT managers at other companies in the area, including those you have a business relationship with. Set up task groups and meetings where you can discuss cybersecurity and share experiences and knowledge with one another.
Engage With Industry and Government Cyber Resources
Join industry associations to gain ongoing insights into cybersecurity issues. Examples include The Cyber Threat Alliance, the National Cybersecurity Alliance, and the Center for Internet Security. Federal resources include the FBI Internet Crime Complaint Center and the NIST Small Business Cybersecurity Corner.
Partner With Cybersecurity Providers
Consult with cybersecurity service providers and letthem perform a cybersecurity analysis and identify the gaps in your security. Contract with them to provide security and monitoring software, train employees on internet etiquette, and provide support services if you become a victim of a ransomware attack.
Ensuring Regulatory Compliance
Any small business domiciled in the EU or one that does business in those territories must comply with the EU General Data Protection Regulation (GDPR). These requirements strictly regulate data protection and data security and can impose huge penalties for data breaches, including data that’s made public due to cyber theft.
While there are no general or universal data protection laws in the U.S., numerous laws exist that can result in penalties for data breaches. Some of these laws include:
- The Health Information Technology Act for Clinical and Economic Health (HITECH)
- Health Insurance Portability and Accountability Act (HIPAA)
- Driver’s Privacy Protection Act
- Right to Financial Privacy Act
Many of these laws incorporate specific requirements to protect data and report data breaches and strict penalties may be imposed. Several states have strict data protection laws like the following:
- California Privacy Rights Act
- Virginia Consumer Data Protection Act
- Colorado Privacy Act
- New York’s Stop Hacks and Improve Electronic Data Security
- Illinois Biometric Information Privacy Act
The bottom line is, there’s an obligation for SMBs to take active steps to prevent the theft or loss of data in the U.S., and failure to do this may lead to fines from authorities and lawsuits fromthe aggrieved parties.
Small Business Ransomware Case Studies
Here are three small business case studies that show the impact ransomware can have on a business.
St. Margaret’s Health: Spring Valley, IL
In 2021, a ransomware attack on St. Margaret’s Health Hospital in Spring Valley was the tipping point that led to the hospital’s closure. The attack affected the hospital’s billing systems, which meant it couldn’t submit medical claims to health insurers, including Medicaid and Medicare. It took several months to restore systems, the hospital was already in a difficult situation following the COVID-19 pandemic, and the losses arising from the ransomware attack pushed it over the financial cliff.
Toronto Library System
In October 2023, the Toronto Library system was hit by a ransomware attack that took down their entire service. The library refused to pay the ransom, but since they had no backups, it took weeks to restore limited in-library services, and their online library is still down, butexpected to return to service in early 2024.
Lessons Learned
These four examples illustrate the difference having a ransomware strategy in place can make for SMBs. In the successful recoveries, organizations detected the ransomware relatively quickly and had untainted backups available, so recovery was fast. In the other two incidents mentioned above, no backups were available, and the time to rebuild systems severely affected operations, resulting in closures and suspended services.
Protect Your Small Business With Veeam
Statistics show that small businesses are a priority target for ransomware. This is partly because small businesses don’t have the same level of IT security as large organizations, and so SMBs would rather pay the ransom than risk going out of business.
Besides the direct costs of a ransomware attack, SMBs face severe penalties if private or confidential data is stolen and shared. This is why companies should always encrypt their data. If a hacker or anyone else steals the data, it’s useless without the decryption key. To resist ransomware attacks, companies need strong cyber defenses and immutable backups. Being cyber resilient no longer an option, it’s a necessity.
Don’t lose your business. Protect your data with Veeam Backup Solutions for Small Businesses.